CLAIMS 



1 1. A computer implemented method for preventing 

2 malicious code from propagating in a computer, the method 

3 comprising the steps of: 

4 a blocking-scanning manager detecting attempted 

5 malicious behavior of running code; 

6 responsive to the detection, the blocking- 

7 scanning manager blocking the attempted 

8 malicious behavior; 

9 the blocking-scanning manager generating a 

10 signature to identify the code that 

11 attempted the malicious behavior; 

12 the blocking-scanning manager detecting code 

13 identified by the signature; and 

14 the blocking-scanning manager blocking the 

15 execution of the identified code. 

1 2. The method of claim 1 wherein a source of at least 

2 one of the running code and the identified code comprises a 

3 source from a group of sources consisting of an e-mail 

4 attachment, .a magnetic medium, an optical medium, a file, a 

5 boot sector, and a network remote computer. 
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1 3. The method of claim 1 wherein the blocking- 

2 scanning manager detecting code identified by the signature 

3 further comprises the blocking-scanning manager comparing 

4 the running code to at least one signature generated. 

1 4. The method of claim 3, wherein the blocking- 

2 scanning manager comparing the running code to at least one 

3 signature generated further comprises the blocking-scanning 

4 manager determining that the running code matches at least 

5 one of the generated signatures. 

1 5. The method of claim 1 wherein the blocking- 

2 scanning manager detecting code identified by the signature 

3 further comprises the blocking-scanning manager placing at 

4 least one of the running code and the identified code in a 

5 repository, such that the user cannot execute the code. 

1 6. The method of claim 1 further comprising: 

2 the blocking-scanning manager performing the detecting 

3 step on a first computer able to connect to a 

4 network; 

5 the blocking-scanning manager placing at least one of 

6 the running code and the identified code in a 

7 repository located at a location from a group 
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8 consisting of locally on the first computer, and 

9 remotely on a second computer able to connect to 

10 the network; and 

11 the blocking-scanning manager performing the blocking 

12 step at a location from a group consisting of 

13 locally on the first computer or remotely on a 

14 second computer able to connect to the network. 

1 7. The method of claim 1 wherein detecting code 

2 identified by the signature further comprises: 

3 the blocking-scanning manager alerting a user of the 

4 detection; and 

5 the blocking-scanning manager allowing the user to 

6 choose whether or not to block the execution of 

7 the identified code. 

1 8. The method of claim 7 further comprising the 

2 blocking-scanning manager overriding the user's choice 

3 responsive to the user incorrectly choosing to block non- 

4 malicious behavior or incorrectly choosing not to block 

5 malicious behavior. 

1 9. The method of claim 1 further comprising 

2 the blocking-scanning manager regulating the number of 

3 signatures generated within a period of time. 
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1 10. The method of claim 9 wherein regulating the 

2 number of signatures further comprises: 

3 the blocking-scanning manager recognizing a 

4 predetermined limit on the number of signatures 

5 generated within a period of time; 

6 responsive to reaching the predetermined limit, the 

7 blocking-scanning manager removing older 

8 signatures as newer signatures are generated 

9 11. The method of claim 9 wherein regulating the 

10 number of signatures further comprises: 

11 the blocking-scanning manager sorting the signatures 

12 according to number of matches per signature to 

13 running code that attempted malicious behavior; 

14 and 

15 responsive to reaching the predetermined limit, the 

16 blocking-scanning manager removing the signatures 

17 with the fewest matches as newer signatures are 

18 generated. 

1 12. The method of claim 1 wherein the blocking- 

2 scanning manager blocking the execution of the identified 

3 code further comprises the blocking-scanning manager 

4 associating a name with the identified code. 
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1 13, The method of claim 12 wherein associating a name 

2 with the identified code further comprises the blocking- 

3 scanning manager changing the name to accord with a new 

4 definition of the identified code in a database of known 

5 malicious code. 



1 14. The method of claim 1 wherein the blocking- 

2 scanning manager generating a signature to identify the 

3 code that attempted the malicious behavior further 

4 comprises: 

5 the blocking-scanning manager applying a checksum 

6 function to generate a checksum of the code that 

7 attempted the malicious behavior; 

8 the blocking-scanning manager storing the checksum; 

9 and 

10 the blocking-scanning manager using at least one 

11 stored checksum to identify code that attempted 

12 malicious behavior. 

1 15. The method of claim 1 wherein the blocking- 

2 scanning manager generating a signature to identify the 

3 code that attempted the malicious behavior further 

4 comprises: 
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5 the blocking-scanning manager applying a hash function 

6 to generate a hash of the code that attempted the 

7 malicious behavior; 

8 the blocking-scanning manager storing the hash; and 

9 the blocking-scanning manager using at least one 

10 stored hash to identify code that attempted 

11 malicious behavior. 

1 16, The method of claim 15 wherein the blocking- 

2 scanning manager applying a hash function to generate a 

3 hash further comprises the blocking-scanning manager 

4 generating a hash of at least a portion of a code segment 

5 of computer-readable contents associated with the code. 

1 17. The method of claim 15 wherein the blocking — 

2 scanning manager applying a hash function to generate a 

3 hash further comprises the blocking-scanning manager 

4 generating a hash of at least a portion of a data segment 

5 of computer-readable contents associated with the code. 

1 18. The method of claim 15 wherein the blocking- 

2 scanning manager applying a hash function to generate a 

3 hash further comprises the blocking-scanning manager 

4 generating a hash of at least a portion of a header of 

5 computer-readable contents associated with the code. 
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1 19. A computer system for preventing the propagation 

2 of malicious code, the computer system comprising: 

3 a running code detection module, configured to 

4 detect attempted malicious behavior of 

5 running code; 

6 a running code blocking module, configured to 

7 block the attempted malicious behavior in 

8 response to positive' detection, the running 

9 code blocking module being communicatively 

10 coupled to the running code detection 

11 module; 

12 a signature module, configured to generate a 

13 signature to identify the code that 

14 attempted the malicious behavior, the 

15 signature module being communicatively 

16 coupled to the running code blocking module; 

17 an scanning module, configured to detect code 

18 identified by the signature, the scanning 

19 module being communicatively coupled to the 

20 signature module; and 

21 an identified code blocking module, configured to 

22 block the execution of the identified code, 

23 the identified code blocking module being 
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24 
25 



communicatively coupled to the scanning 
module . 



1 20. The computer system of claim 19, further 

2 comprising a repository, configured to store at least one 

3 of the running code and the identified code, such that the 

4 user cannot execute the code, the repository being 

5 communicatively coupled to the running code detection 

6 module and the scanning module. 

1 21. The computer system of claim 19, wherein the 

2 scanning module is further configured to compare running 

3 code to at least one signature generated, the scanning 

4 module being communicatively coupled to the signature 

5 module. 

1 22. The computer system of claim 19, further 

2 comprising an alert module, configured to alert a user of 

3 detection of attempted malicious behavior of code, wherein 

4 the alert module is further configured to allow a user to 

5 choose whether or not to block the execution of the code, 

6 the alert module being communicatively coupled to the 

7 running code detection module and the scanning module. 
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1 23. The computer system of claim 22, wherein the 

2 alert module is further configured to override the user's 

3 choice responsive to the user incorrectly choosing to block 

4 non-malicious behavior or incorrectly choosing not to block 

5 malicious behavior. 

1 24. The computer system of claim 19, further 

2 comprising a signature regulation module, configured to 

3 regulate the number of signatures generated within a period 

4 of time, the signature regulation module being 

5 communicatively coupled to the signature module. 

1 25. A computer-readable medium containing a computer 

2 program product for preventing the propagation of malicious 

3 code in a computer, the computer program product 

4 comprising : ■ 

5 program code for a blocking-scanning manager 

6 detecting an attempted malicious behavior of 

7 a running code; 

8 program code for the blocking-scanning manager 

9 blocking the attempted malicious behavior in 
10 response to the detection; 
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11 program code for the blocking-scanning manager 

12 generating a signature to identify the code 

13 that attempted the malicious behavior; 

14 program code for the blocking-scanning manager 

15 detecting code identified by the signature; 

16 and 

17 program code for the blocking-scanning manager 

18 blocking the execution of the identified 

19 code. 

1 26. The computer program product of claim 25, further 

2 comprising program code for the blocking-scanning manager 

3 comparing the running code to at least one signature 

4 generated. 

1 27. The computer program product of claim 25, further 

2 comprising program code for the blocking-scanning manager 

3 associating a name with the identified code. 

1 28. The computer program product of claim 25, further 

2 comprising: 

3 program code for a blocking-scanning manager alerting 

4 a user of detection of attempted malicious 

5 behavior of code; and 
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6 



7 



8 



program code for a blocking-scanning manager allowing 
a user to choose whether or not to block the 
execution of the code. 



1 29. The computer program product of claim 28, further 

2 comprising program code for a blocking-scanning manager 

3 overriding the user's choice responsive to the user 

4 incorrectly choosing to block non-malicious behavior or 

5 incorrectly choosing not to block malicious behavior. 
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